6to4 and 6in4 Tunnels

Ericde Thouars

TomEastep

Permission is granted to copy, distribute and/or modify this document under the terms of the GNU Free Documentation License, Version
1.2 or any later version published by the Free Software Foundation; with
no Invariant Sections, with no Front-Cover, and with no Back-Cover
Texts. A copy of the license is included in the section entitled
“GNU Free Documentation
License”.

6to4 tunneling with Shorewall can be used to connect your IPv6 network
to another IPv6 network over an IPv4 infrastructure. It can also allow you
to experiment with IPv6 even if your ISP doesn't provide IPv6
connectivity.

Getting your Feet Wet with IPv6, by Tom Eastep

6to4 tunnels provide a good way to introduce yourself to IPv6.
Shorewall6 was developed on a
network whose only IPv6 connectivity was an 6to4 Tunnel; that network is
described in the remainder of this section. What is shown here requires
Shorewall6 4.2.4 or later.

Configuring IPv6 using my script

I have created an init script to make the job of
configuring your firewall for IPv6 easier.

The script is installed in /etc/init.d and configures ipv6,
including a 6to4 tunnel, at boot time. Note that the script is included
in the Shorewall6 distribution but is not installed in /etc/init.d by
default. The RPMs from shorewall.net, install the file in the package
documentation directory.

The script works on OpenSuSE 11.0 and may need modification for
other distributions. On OpenSuSE, the script is installed by copying it
to /etc/init.d/ then running the command 'chkconfig
--add ipv6'.

At the top of the script, you will see several variables:

SIT - The name of the tunnel device. Usually 'sit1'

INTERFACES - local interfaces that you want to configure for
IPv6

ADDRESS4 - A static IPv4 address on your firewall that you
want to use for the tunnel.

SLA - The identity of the first local sub-network that you
want to assign to the interfaces listed in INTERFACES. Normally one
(0001).

You will notice that sit1, eth2 and eth4 each have an IPv6 address
beginning with 2002: -- All 6to4 IPv6 addresses have that in their most
significant 16 bits. The next 32-bits (ce7c:92b4) encode the IPv4
ADDRESS (206.124.146.180). So once you start the 6to4 tunnel, you are
the proud owner of 280 IPv6 addresses! In the
case shown here, 2002:ce7c:92b4::/48. The SLA is used to assign each
interface in INTERFACES, a subnet of 264
addresses; in the case of eth2, 2002:ce7c:92b4:1::/64.

I run radvd on
the firewall to allow hosts conntected to eth2 and eth4 to automatically
perform their own IPv6 configuration. Here is my
/etc/radvd.conf file:

You will note that the public IPv6 address of eth2
(2002:ce7c:92b4:2:2a0:ccff:fedb:31c4) was formed by concatenating the
prefix for eth2 shown in radvd.conf (2002:ce7c:92b4:2) and the lower 64
bits of the link level address of eth2 (2a0:ccff:fedb:31c4). You will
also notice that the address 2002:ce7c:92b4:2:2a0:ccff:fedb:31c4 appears
in the RDNSS clauses in radvd.conf; that causes my server to be
automatically configured as a DNS server.

The default route is described using the link level address of
eth2 on the firewall (fe80::2a0:ccff:fed2:353a).

Configuring Shorewall

We need to add an entry in /etc/shorewall/tunnels and restart
Shorewall:

#TYPE ZONE GATEWAY GATEWAY_ZONE
6to4 net

Configuring Shorewall6

STOP -- If you have followed the
instructions above, you should have a completely functional IPv6
network. Try:

ping6 www.kame.net
ping6 ipv6.chat.eu.freenode.net

If neither of those work from your firewall and from any local
IPv6 systems that you have behind your firewall, do not go any further
until one of them does work. If you ask for help from the Shorewall
team, the first question we will ask is 'With Shorewall6 cleared, can
you ping6 kame or freenode?'.

The Shorewall6 configuration on my firewall is a very basic
three-interface one.

Connecting two IPv6 Networks, by Eric de Thouars

Suppose that we have the following situation:

We want systems in the 2002:100:333::/64 subnetwork to be able to
communicate with the systems in the 2002:488:999::/64 network. This is
accomplished through use of the
/etc/shorewall/tunnels file and the “ip”
utility for network interface and routing configuration.

Unlike GRE and IPIP tunneling, the
/etc/shorewall/policy,
/etc/shorewall/interfaces and
/etc/shorewall/zones files are not used. There is no
need to declare a zone to represent the remote IPv6 network. This remote
network is not visible on IPv4 interfaces and to iptables. All that is
visible on the IPv4 level is an IPv4 stream which contains IPv6 traffic.
Separate IPv6 interfaces and ip6tables rules need to be defined to handle
this traffic.

In /etc/shorewall/tunnels on system A, we need
the following:

#TYPE ZONE GATEWAY GATEWAY_ZONE
6to4 net 134.28.54.2

This entry in /etc/shorewall/tunnels opens the
firewall so that the IPv6 encapsulation protocol (41) will be accepted
to/from the remote gateway.